algebraic complexities and algebraic curves over finite fields · nite extensions offields...
TRANSCRIPT
Proc. NatI. Acad. Sci. USAVol. 84, pp. 1739-1743, April 1987Mathematics
Algebraic complexities and algebraic curves over finite fields(polynomial multiplication/interpolation)
D. V. CHUDNOVSKY AND G. V. CHUDNOVSKYDepartment of Mathematics, Columbia University, New York, NY 10027
Communicated by Herbert Robbins, November 20, 1986
ABSTRACT We consider the problem of minimal (multi-plicative) complexity of polynomial multiplication and multi-plication in finite extensions of fields. For infinite fields mini-mal complexities are known [Winograd, S. (1977) Math. Syst.Theory 10, 169-180]. We prove lower and upper bounds onminimal complexities over finite fields, both linear in the num-ber of inputs, using the relationship with linear coding theoryand algebraic curves over finite fields.
The algebraic complexity problem that is richest in underly-ing structure is the problem of fast polynomial multiplica-tion. Among the problems reducible to this are fast multipli-cation of multiple-precision numbers, greatest common divi-sors in polynomial rings, Hankel matrix multiplication,computation of Padd approximations, and computation of fi-nite Fourier transformations. Significant progress in thisproblem, due to Winograd (1), Fiduccia and Zalcstein (2),and Adler and Strassen (3), has mainly concentrated on mini-mal multiplicative complexities (m.m.c.) of polynomial mul-tiplication over fields. According to Winograd (1), for an in-finite field k the multiplicative complexity ILk(m, n) of multi-plication of polynomials of degrees m - 1 and n - 1 over k(for precise definitions of the m.m.c., see below) is m + n -1. The m.m.c. ,Uk(p) of multiplication of polynomials modp(t) for p(t) E k[t] is equal to 2n - k, where k is a number ofdistinct irreducible factors ofp(t) in k[t]. Moreover, there is acomplete description of algorithms having this m.m.c. (1, 4).All these algorithms are based on the Toom-Cook method ofreconstruction of polynomial products by way of the La-grange interpolation formula. A significant drawback ofthese algorithms, say, over Q, is the appearance of scalarmultiplications with large sizes of scalars [of the order (m +n)'+n as m + n -I 00] and the necessity to invert large num-ber of primes in Z to achieve m.m.c. in the ring of scalars.From the point of view of practical applications it is prefera-ble to have divisions by powers of 2 at most; i.e., one shouldconsider m.m.c. schemes over A = Z or A = Z[1/2]. Schon-hage and Strassen (5), Winograd (1), and Nussbaumer (6)and others constructed fast algorithms with divisions by 2only by considering polynomial multiplications modulo cy-clotomic divisors ofX-_ 1. The best upper bound on m.m.c.of multiplication of polynomials with degrees bounded by nover rings A = Z, Z[1/2] (and, in particular, over any finitefield) that one can achieve using variations of the fast Fouri-er transformation method is 0(n log n). The correspondingscheme for A = Z is far from simple. To study the optimal Z-algorithm one has to study their reductions mod p andm.m.c. algorithms of polynomial multiplication over finitefields, particularly over F2. Over finite fields the m.m.c. al-gorithms of polynomial multiplication are not, in general,given by the Toom-Cook scheme. For example, /.k(m, n) 2m + n - 1 for an arbitrary field k of scalars, but the inequal-ity becomes equality only when the field k has at least m + n
- 2 elements (4). Better lower bounds on m.m.c. can be de-duced using the theory of error-correcting linear codes. Inrefs. 7 and 8 it was proved that Fu2(n, n) > 3.52 n for large n[e.g., gz(n, n) > 3.52 n], using the upper bound (9). In thispaper we explore various connections between m.m.c. algo-rithms for polynomial multiplication and multiplication in fi-nite extensions of fields and optimal linear codes.
First, we improve on lower bounds on m.m.c. over finitefields. Among bilinear algorithms that we study are m.m.c.algorithms for multiplication in commutative k-algebraswithout zero divisors. Then we use the connection betweenthe theory of linear codes and algebraic curves over finitefields [Goppa codes (10)]. We present all the relevant infor-mation from the theory of algebraic curves over finite fields.Our algorithms of polynomial multiplication can be interpret-ed as interpolation methods on algebraic curves. As a corol-lary of our results, we prove that Ak(m, n) = 0(m + n) for anarbitrary finite field k. Moreover, for the multiplicative com-plexity ptk(N) of multiplication in a finite extension X over kwe obtain a bound /uk(N) - 2(1 + c/IkI"'2)[2K:kI comparingfavorably with our lower bounds. Our results generalize tolower and upper bounds on m.m.c. of multiplication in otheralgebraic structures over finite fields including group alge-bras.
Section 1. Multiplicative Complexity and Multiplication inFinite Extensions of FieldsThe problem of determination of minimal complexity ofcomputations of systems of bilinear forms can be formulatedin a variety of terms. As it turns out (3), various algebraicmethods of computations can be reduced to the so called"normal" forms of computations, which are our prime focus.[Other direct line programs of computation of bilinear forms,particularly commutative ones (3), can be considered in asimilar way.]We start with a commutative ring A and two sets of unde-
termined variables x = (xl, . . ., x,,) and y = (Yi, . . ., y,).We consider a system of s bilinear forms with coefficientsfrom A:
m n
Zk = A A ti jxiyj (k = 1, . . ., s). [1.1]i=1 j=1
The multiplicative complexity over A of computation of bi-linear forms 1.1, pLA, is the minimal number of nonscalarmultiplication needed to evaluate Eq. 1.1 over A. If T =(tij,k) is an m X n x s tensor and Tk = (tQj,k),,j=1 are compo-nents (layers) of T (with respect to the third coordinate), thenpL = /iA is the minimal number such that for some akl E A, b,E Am, cl E C' we have
Tk = >i aklb'cl (k = 1, . . ., s). [1.2]1=1
The matrices b'cl are rank one matrices, sometimes calleddyads. The representation 1.2 means that the multiplicativecomplexity u is the minimal number of dyads over A, whoselinear span over A includes the list of matrices Tk:k = 1, . . .,
Abbreviation: m.m.c., minimal multiplicative complexity(ies).
1739
The publication costs of this article were defrayed in part by page chargepayment. This article must therefore be hereby marked "advertisement"in accordance with 18 U.S.C. §1734 solely to indicate this fact.
Dow
nloa
ded
by g
uest
on
Sep
tem
ber
26, 2
020
1740 Mathematics: Chudnovsky and Chudnovsky
s (1-8, 11). Similarly, one could select the representation ofT as a list of matrices with respect to the second or thirdcomponent. Apparently, the number 1i for all of these repre-sentations is the same. The number 1L = ILA is a rank of atensor T (in Strassen's terminology). The realization 1.2 ofthe (noncommutative) scheme of the computation of bilinearforms 1.1 can be represented in the following algebraic form
z = A(Bx 0 Cy), [1.3]
where A = (akl), B = (bi), C = (CO).We describe now the structure of the 3-tensor determining
the rules of multiplication of elements in finite extensions offields. Let k be a field, and let its finite extensions X berepresented as AC = k[t]/(p(t)), where p(t) is an irreduciblepolynomial from k[t]. Then (up to the choice of the basis ofXover k), the multiplication of elements ofX over the field ofscalars k is determined by the multiplication of polynomialsmod p(t). We are led to the traditional, in the field of algebra-ic complexities, problem of multiplication of two polynomi-als x(t)y(t) mod p(t) (1-3). This problem is of interest to us foran arbitrary ring of scalars A.We assume p(t) E A[t] to be monic of the form
p(t) = tn - Pn-1tn . . . - pit - P°* [1.41We use the companion matrix P of p(t) (the Frobenius nor-mal form) to determine tk mod p(t). From Eq. 1.4 iterating Pwe obtain
n-iti+' mod p(t) = : (Pj)iktk, [1.5]
k=O
where (Pj)i,k is the (i, k)th element of the matrix Pi-with thenumeration of rows and columns from 0 to n - 1. If x(t) =ri---o xjti, y(t) = 7-o' yit', then
n-ix(t).y(t) mod p(t) = > Zkt k, [1.6]
k=O
where Zk = _JnO_YO1 ti,j,kXiyj and tijk = (Pj)i,k. Conse-quently, n matrices (I, P, P, . . ., P" 1) are layers (withrespect to the second index) of the tensor T = (ti,(j),k ,k=odetermining the polynomial multiplication mod p(t).LEMMA 1.1. For arbitrary qo, . . ., qj, the rank of the
matrix UiqkPk is equal to n - z, where z is the number ofcommon roots of p(t) and q(t) = :U=-oQktkProof: Let us look at the quantity R(p, q) = det(k4-OqkP")for a given q = q(t) and p(t) = tn - Pn-ltn-1 - . . . - Po =H1 (t - as), where a1, . ., an lie in the splitting field ofp(t). Reducing P to its diagonal form we recover one of theequivalent representations of R(p, q) as a resultant of p(t)and q(t):
n
R(p, q) = Fl q(ai). [1.7]i=l
The rank of an n X n matrixM is equal to n - no, where nois a number of zero eigenvalues ofM-i.e., for the character-istic polynomial Xm(X) = deg(X-In + M) = Xn + . . . + Mno,fno. We put M = Jkn:O qkpk, so that X.I, + M = 0kn-1 qkPk,where qk = qk + sko8 x(k = 0,..., n - 1). Then for q'(t) =q(t) + X, S(p, q) = det(XAIn + M) or, by Eq. 1.7,
n-1 n
det(XIn + >, qkP) = n {q(ai) + X}. [1.8]k=O i
From Eq. 1.8, it follows that the rank of M is n - no,where no is the number of zeros ai ofp(t) such that q(a,) = 0.COROLLARY 1.2. Ifa monic polynomial p(t) E A[tJ is irre-
ducible over (the field offractions of) A, then for q0, ....qn-1 not all zerofrom (thefield offractions of) A, the matrixUl-Olqkpk has rank n.
Section 2. Linear CodesHere we remind the reader of some well-known facts of lin-ear codes (12). In the theory of linear codes one considersvector spaces A' of dimension n over a finite field Fq, where"an alphabet"A consists ofelements ofthe field Fq. A linearsubspace of A' is called a linear code. We denote by k thedimension of the code over Fq. By the weight d of the code,we understand the minimal number of nonzero coordinatesof all nonzero vectors from the code with respect to a fixedbasis of the space A'. In this context, we define N(k, d) asthe least integer n, such that there exists a code with given nand k, of weight d([n, k, d]-code).One of the best upper bounds on N(k, d) is the Gilbert-
Varshamov bound. Let us put Hq(x) = -x logqx - (1 - x)logq(l - x). Then the Gilbert-Varshamov bound (12) provesthe existence of [n, k, d]-linear codes over Fq such that for Rdef k/n, 8 de din one has R . 1 - 8 logq(q - 1) - Hq(S).Goppa's codes (10) meet the Gilbert-Varshamov bound (andare constructed effectively).Lower bounds on N(k, d) are used to bound from below
the multiplicative complexity of polynomial multiplication.One of the best such bounds has been proved in ref. 9 for q =2. According to this bound, if n -3 oo and we have a sequenceof [n, k, d]-codes with d/n -- 8, then
R = k/n ' H2[1/2 - (8 - 82)1/2] [2.1]The bound 2.1 has been used (7, 8) to obtain the following
lower bound on ,lF(n, m) of multiplicative complexity overFq of multiplication of a polynomial of degree n - 1 by apolynomial of degree m - 1 for q = 2:
pFq(n, m) 2 max{N(n, m), N(m, n)}. [2.2]
According to ref. 8, 2.1 and 2.2 imply p.F2(n, n) 2 3.52 n forsufficiently large n. We now present the relationship be-tween the tensor rank and Hamming weights in a more gen-eral setting.PROPOSITION 2. 1. Let T = (ti,j,k) (i = 1,...,m;j = 1,...,
n; k = 1,. . ., s) be a 3-tensor, Tk = (ti~j,01!, 'J=1 (k = 1, . *s). Letfor arbitrary a1,..., asfrom Fq, not all zero, the rankof the matrix QL, akTk over Fq be at least r. If A, = is amultiplicative complexity of T over Fq, then there exists alinear code C in Fq ofdimension s, with Hamming weight atleast r.
Proof: Let us consider a realization 1.2 of the m.m.c. ,u =PLFq algorithm of computation of a system of bilinear forms1.1 corresponding to T. Let us denote dyads bt cl (rank onematrices over Fq) by 26, (1= 1, . . ., ,u). Let the code C in Fbe generated by s vectors ak = (akl: 1 = 1, . . ., ,u), k = 1,... , s. Let v E C, v= 1=l Zkak, where Zk E Fq and not all Zkare zero (k = 1,..., s). From Eq. 1.2, we obtain
S AL
>1 ZkTk = > IV2)1 [2.3]k=1 ll
and vI = Yk'= Zk(ak) = 14=1 Zkaid (1 = 1,. . . s). The rank of5;k= 1 ZkTk is at least r (by our assumptions). Thus at least r ofcoordinates v1 of v 7 0 are nonzero (otherwise the matrix inEq. 3.3 would be a sum of <r dyads). This implies that C hasdimension s over Fq and that the Hamming weight of everynonzero element of C is at least r.
Let X = Fq[t]/(p(t)) for an irreducible polynomial p(t) ofdegree n in Fq[t], so IC = Fqn; and let gFq (?) denote them.m.c. in the field 7K over Fq. Then Corollary 1.2 and Propo-sition 2.1 imply that there exists a [.Fq (N), n, n]-linear codeover Fq- Combining this with the bound 2.1, we deduce thelower bound
IuF2 (C) . 3.52 n [2.4]
for sufficiently large n = [lC:F2]. The same bound holdswhen one replaces ? by an arbitrary F2-algebra A without
Proc. Nad Acad Sd USA 84 (1987)
Dow
nloa
ded
by g
uest
on
Sep
tem
ber
26, 2
020
Proc. NatL Acad. Sci. USA 84 (1987) 1741
zero divisors (see Corollary 3.1).For q > 2, we can use Plotkin lower bounds (see ref. 12)
and deduce for large n = [#C:FqIIFq(X) 2 2(1 + 1/(q - 1))n. [2.5]
In Section 4, we prove that the upper bounds on gFq (n, n)and UFq (X) are also linear in n. We present only oneupper bound for q = 2 that follows from Section 4 for large n=f[XF21:
/F2 (X) C 6 n. [2.6]
Section 3. Examples
Sometimes it is useful to represent bilinear algorithms forcomputation in finite dimensional k-algebras A in the coordi-nate free form (3, 4). Let us start with a k-algebra A of dimen-sion n over k (an arbitrary field) with the basis e1,..., en. Ifwe have a multiplication table ei ej = i CT em for Cij Ek, then the multiplication in A can be written in the bilinearform. We have (V 1 xiei) .(1jL_ yjej) = EI=z1zmen with Zm =Yi j xiyjC7j. In the coordinate-free form we associate with themultiplication in A over k x : A x A -+ A a tensor tA E A* 0A* 0 A. The rank of this tensor is the minimal number ,u [themultiplicative complexity ,u = gk(A)] such that tA is repre-sented as a sum of ,u rank one tensors
tA>L U 0 V 0 WI [3.1]
for ul 0 v1 0 w1 in A* 0 A* 0 A. One can define layers of t =tA as tx = II'= ul(x)vl 0 wI and ty = Y.' 1 v( y)uI 0 Wi for x EA, y E A: tx and ty are linear mappings A -* A. According tothe definition of the multiplication tensor t,
tX = LX, tY = Ry, [3.2]
where LX and Ry are left and right multiplication by x and y,respectively, in A.COROLLARY 3.1. IfA is an Fq-algebra of dimension n over
Fq without zero divisors, then every realization of multiplica-tion in it over Fq as an s bilinear algorithm with ,L = /LFq(A)nonscalar multiplications over Fq gives rise to [,u, n, ni-lin-ear codes over Fq.Proof: Let us consider a bilinear algorithm 3.1 over k =
Fq. We define as a linear code C the set of all vectors u(x) =uI(x) (1 = 1, . . ., ,) in k/l. The layers tx of t with respect to anonzero x E A are Lx = '1= ul(x)vl 0 wI. Because x is not azero divisor, Lx E GL(A). In particular, this means that thereare at least n nonzero uI(x) for 1 = 1, . ., , for every non-zero x E A. Thus C is the [,u, n, n]-code.Proof of Corollary 3.1 provides important clues to the al-
gebraic form 1.3 of the algorithm of multiplication in the k-algebra A. Considering right multiplication in A and the iso-morphisms induced by the left and right multiplications in A(4), we arrive at an important conclusion: If the scheme 1.3describes a multiplication in division commutative k-algebraA ofdimension n (n = m = s) over k = Fq, then matrices At,B, and C are generator matrices of [,t, n, n]-linear codes overFq.Lower bounds on multiplicative complexities of multipli-
cation in algebras over finite fields (particularly, over F2) canbe used to identify the bilinear algorithms realizing them.m.c. (11, 13).
Let us start with q = 2. The most interesting case is that of[n, k, d]-codes with a given k = d and minimal n. In thenotation of Section 2, Corollary 3.1 implies that ,u 2 N(n, n).We also use the remark above that the matrices At, B, and Cin the representation 1.3 of multiplication in the division k-algebra A are all generator matrices for [,u, n, n]-codes. In afew cases all [N(n, n), n, n]-codes can be explicitly describedup to equivalence. We recall that the linear codes C1 and C2
are said to be equivalent if C2 is obtained by applying onepermutation of the symbols to all the codewords of C1. Thestudy of [N(n, n), n, n]-codes with n c 3 is not interesting. Inthe case n = 4, N(4, 4) = 8, and the corresponding [8, 4, 4]-code is the well-known Reed-Muller code (chapter 13.3 ofref. 12). Moreover, all [8, 4, 41-codes are equivalent to theReed-Muller one.
This allows us to classify up to equivalence (with respectto the nonsingular transformations in each of the indices) all4 x 4 x 4 tensors T = (tij,k) that arise from the bilinearscheme 1.3, where A', B, and C are generator matrices ofsome [8, 4, 41-codes. A simple personal computer programeasily convinces one that no 4 x 4 x 4 tensor correspondingto the bilinear scheme 1.3 with A', B, and C being generatormatrices of [8, 4, 4]-linear codes arises from the multiplica-tion in F2-algebra A without zero divisors. Thus we arrive atthe following.Example 3.2: If A is a 4-dimensional commutative algebra
over F2 without a zero divisor, then the multiplicative com-plexity of A over F2 is at least 9.
In particular, whenever p(t) is an irreducible polynomial inF2[t] of degree 4, the minimal number of multiplications overF2 necessary to multiply two polynomials mod p(t) is exactly9.Example 3.3: The m.m.c. of multiplication in the field ex-
tension of degree 6 over F2 is 15: /LF, (F26) = 15.Indeed, N(6, 6) 2 15. On the other hand, gF, (F26) - 15,
because ,F2 (F22) - 3 and /LF22 (F26) c 5. Here we are using atrivial but important "multiplication rule":
/*Fq (Fqnr) - uFq (Fq.) */q(Fqm)
Section 4. Interpolation on Algebraic Curves
In this section we review briefly the theory of algebraic func-tion fields of one variable over an arbitrary field of con-stants, following ref. 14. The Riemann-Roch theorem is ap-plied to the basic interpolation problem on algebraic curves.For curves over finite fields our interpolation methods areused to construct fast polynomial multiplication algorithms.Curves used in these algorithms are the same as in Goppacodes. We deal with algebraic function fields in one variable(14). Any such field K over the field of constants k can berepresented in the form K = k(x, y), where x is a transcen-dental element ofK over k, and 1, y, . . ., yd-l is the basis ofK over k(x), [K:k(x)] = d. By a place of a field K we under-stand an isomorphism sp:K -> I U {oo}, where I is a field and(p(a) = 00, (p(b) & 0, oo for some a, b EE K. For an arbitraryplace 9P of K, let kq be a field such that 9P is an isomorphismof K onto kq U {oo}. We denote by vq the normed valuationwith values in Z, corresponding to QP. The degree fq~of kqover k is called the degree of GP.A divisor ofK is an element of a free Abelian group gener-
ated by the set of places of K. The places themselves arecalled prime divisors. We write divisors additively: ==vq (A) P, where vq (A) are integers among which only finite-ly many are nonzero. A divisor .A is called an integral one, ifvq (54) 2 0 for every 9P. A divisor s divides a, if 9a - At isintegral. The degree d(st) of a divisor A is an integer d(sa) =1 fq vq (s), where fqp is the degree of a place 9P. With ev-ery element X E K one associates a principal divisor (X) asfollows: (X) = 19 vq4(X) -P.For an arbitrary divisor A ofK we denote by L(sl) the set
of all elements X ofK whose divisor (X) divides A. This is avector space over k. One can define an equivalence relationmod t%on K saying that X Y mod sti, if (X) - (Y) is divisi-ble by ds. For an arbitrary class C of divisors modulo princi-pal ones of K, one calls the maximal number of linearly inde-pendent (over k) integral divisors in this class a dimensionN(C) of the class C.
Mathematics: Chudnovsky and Chudnovsky
Dow
nloa
ded
by g
uest
on
Sep
tem
ber
26, 2
020
1742 Mathematics: Chudnovsky and Chudnovsky
COROLLARY 4.1. (See ref. 14.) For an arbitrary equiva-lence class C of divisors and any ds from C, the dimensionN(C) is dimkL(-s).The genus g of K is defined as g = 1 - inf dimkL(si) +
d(si) over all divisors sit of K. To formulate the Riemann-Roch theorem, we need a definition of a differential on K.For this one calls an adele on K a mapping GPby of the setof prime divisors 9P of K into K such that vq (6) 2 0 for allbut finitely many ?P. The set of all adeles is turned into analgebraT over k with pointwise operations and with K-natu-rally embedded into W. The valuations are also extendedfrom K to Se:vo(f) = vp (&) for f = (&)g,. For a divisor ds ofK we denote by A(sd) the vector space over k of all adeles fsuch that { are divisible by se-i.e., vg_(4) 2 vo (si) for every9P. A differential c is defined as a k-linear map of T into kthat vanishes on some vector subspace of the form A(di) +K. One says then that the differential co is divisible by -sd.The differential is of the first kind if it is divisible by a zerodivisor 0. One can associate with a differential Co 7 0 aunique divisor (co) such that cl is divisible by .A, iff (Co)) isdivisible by si. The divisors of all differentials form the ca-nonical class W. In terms of W one can formulate the Rie-mann-Roch theorem.THEOREM 4.2. (See ref. 14.) For any class C of divisors
one has
N(C) = d(C) - g + 1 + N(W - C).
This implies that N(W) = g (the genus g is the maximalnumber of linearly independent differentials of the first kind)and d(W) = 2g - 2. In particular, N(C) = 0 if d(C) < 0 or ifd(C) = 0 and C oa. Thus
N(C) = d(C) - g + 1
if d(C) > 2g - 2orifd(C) = 2g - 2andC 7 W.In our applications, k is a finite field of characteristic p > 0
with q = pm elements. If 9P is any prime divisor of K-analgebraic function field with the field of constants k-thenthe number of elements in the residue field kit is called thenorm of 9P and is denoted by N(9P) = qd(g'). This definition isextended to all divisors: N(si) = qd(s). With an algebraicfunction field K/k one can associate a (-function:
t(K; s) = I (1 - N(9P)sy.l = i (N(si))-s (s > 1), [4.1]
where 9P and A run over all prime and all integral divisors ofK/k, respectively. We put Z(u) = t(K; -log u/log q). TheWeil theorem (the Riemann hypothesis over finite fields) al-lows one to express Z(u) in terms of eigenvalues of the Fro-benius operator on K/k. Namely, there exists a polynomialP2 (u) = ,14 1 (1 - uco1), such that for i = 1, . . ., 2g, coil =X and q/cl, is also one of cjs, and
Z(U) = P2g(U)/((1- u)(1 - qu)). [4.2]
For an arbitrary algebraic function field K/k and an arbi-trary integral divisor si of K one defines a k-algebra K/ifrom the equivalence relation mod s. The dimension of K/sitas a vector space over k is the degree d(i) of s. If = 9P is aprime divisor, then K/@P is the residue field k., of degree d(@P)over k.To reconstruct K/i we look at an integral divisor O with
d(@) ' d(i) 1 and a natural imbedding j:L(-Oa) -+ K --
K/ai (whenever supports of s and 9a are disjoint). If 9a issuch that the mapping j is onto, the multiplication rules inK/i can be deduced from those of L(-a) x L(-a) CL(-2a). To reconstruct functions from L(-2Q) we use in-terpolation and look at values of functions from L(-29a) atprime divisors of degree 1. We arrive at the following new
interpolation algorithm.
PROPOSITION 4.3. Let k be a field of constants, and let Kbe afunction field over k ofgenus g with a prime divisor Si ofdegree n on K. Letd be an integral divisor on K such thatthe natural mapping j:L(- a) -* K/sd = kfg is surjective. Ifa is a set of prime divisors of the first degree on K andCard(0) > 2d(M), then there exists a bilinear algorithm formultiplication in the field kA = K/si of degree n over k withthe field of scalars k, whose multiplicative complexity is sdimkL(-22P) [' Card(S))].
Proof: Since j:L(-J) -* kj is surdective, we can alwayschoose a basis f1, . . *, fn of K/si from elements of L(-ia).The bilinear algorithm of multiplication in kj can be repre-sented as a bilinear algorithm computing (1'=L xifi)-(Ij=-l yjfj) mod s in the linear span of L(-Oa) x L(-a) cL(-2a) over k. By the choice of f1, . . ., fn we have (1,i 1
xifi).(Ij-L yjfj) = I'= zmfmmod so, where Zm are bilinearforms in x = (xi, . . ., Xn), y = (Y1, . . ., Yn) with coefficientsfrom k. To reconstruct Zm uniquely we look at fiofj as ele-ments of L(-29a). If gl, . . ., gt is a basis of L(-2a) over k, t= dimkL(-2ia), then we have fifj = It Bigr for scalarsBirj E k. Since the mappingj:L(-') K--+ ki is surdective,we have g ~-In=1 C'fmmod di for (scalars) Cm E k. If wehave a bilinear algorithm over k with multiplicative complex-ity ti representing the system of t bilinear forms Zr = Ij=iB& xiyj (r = 1, ..., t), then we have a bilinear algorithm overk of the same multiplicative complexity, pL, representing Zm,because Zm = It=i CrZr (m = 1,..., n). To determine Zr welook at values of gr at QP from 2. By definition, for every X EK, X(9P) E kqp U {oo}, where X(9P) = 00 if vq(X) < 0 (i.e., Xhas a pole at 9P). We form a Card(9) x t matrix A = (qr(P))for 9P E 26 and r = 1, . ., t of values of the basis of L(-29a)at prime divisors from 6. We claim that the rank of this ma-trix over k is exactly t. Indeed, if this matrix has rank <t,then there are X,, . ., XA from k, not all zero, and such thatE t=1 Xrgr(9P) = 0 for all 9P E 2a. This means that the functionX = Et4r Xrgr E K* from L(-29a) has zeros at all GP E 6.Since the degree of the divisor (X) is zero for X E K* and XE L(-2f), we have Card(9) c 2d(A), which is false. Thusthe matrix A has rank t. (Strictly speaking, this argument isvalid when the supports of 6 and 9 are disjoint; however,this assumption can be removed by consideration of the in-tersection of 6 and A.)
Let us consider a t x t submatrix AO of A, which is nonsin-gular; let its columns correspond to divisors 9P1, . . ., 9P, of6. Then there exists a t x t matrix Bo with elements from ksuch that AoBo = It in M,(k). We are ready to present now abilinear algorithm over k of multiplicative complexity t [i.e.,not more than dimkL(-2?)I that computes the bilinear formsZr (r = 1, . . ., t). First we make t linear forms in variables xand in the variables y separately: X. = Snlxifi(s) Ys =
gli yAf(9Ps) (s = 1, ... ., t). Then we form linear combina-tions of pairwise products of Xs and Ys:
Wr = I BrosXsYs (r = 1, ...,t),
where (Bo )t,~1 = Bo. We claim that the bilinear forms Wr (r= 1,.. ., t), so defined, coincide with the linear forms Zr (r= 1, ..., t). Indeed, by the definition of Zr we have Ir=Zrgr = (YU=1 xifi).(Yj4=1 yjfj); i.e., Zi=1 Zrgr(gJs) = Xs Ys (s =1,..., t). Consequently, for any a = 1,..., t, = BOs Zr=Zrgr(g$)s = It=L BoSX Y However, AO = (gr(9ps))tr=1 andBoAo = I,; i.e., Zt=B1asgr(9Ps) = 8cxr. Thus for a = 1, . . ., t9Za = sL BasXsYs (= Wa). Consequently, we can determineZr (r = 1,.. ., t) in t essential multiplication over k and zm (m= 1,.. ., n) can be determined over k in t essential multipli-cations too.COROLLARY 4.4. Let K be a function field over k ofgenus
g 2 0 and let si be a prime divisor ofdegree n 2 1 on K. LetA0 be a nonspecial integral divisor on K; i.e., dimkL(- 9o) =d(ao) - g + 1, such that 9a = A0 + s is a nonspecial divisor
Proc. NatL Acad Sd USA 84 (1987)
Dow
nloa
ded
by g
uest
on
Sep
tem
ber
26, 2
020
Proc. NatL Acad. Sci USA 84 (1987) 1743
too. Let there be D prime divisors of the first degree on Kwith D > 2d(a). Then there exists a bilinear algorithm over kthat computes the multiplication in the field extension k'j ofk ofdegree n of multiplicative complexity at most 2d(5I) - g+ 1 = 2n + 2d(a0) - g + 1.Proof: According to Proposition 4.3 we have to prove that
there exists an integral divisor a, of degree d(^) such thatthe mapping jl:L(-l) -- k4 is surdective. Since jlis deter-mined by the place mapping K -- kj of Ai, for jI to mapL(-%a) into kl one has to assume that supports ofga and dsare disjoint-i.e., that dA does not divide ga. If 5 is not di-visible by A4, we can choose % = A. Otherwise we have tochoose ga as an integral divisor equivalent to 9 not dividingsi. Let C0 be a class containing Q0 and C be a class contain-ing a = o + A; i.e., C0 = C - ds. If all integral divisors ofthe class C are divisible by sA, then N(C) = N(C - si) =N(CO). However, by the assumption of the nonspeciality of1a0 and a, N(C) = d(^a) - g + 1 = d(9ao) + n - g + 1 andN(Co) = d(9ao) - g + 1. Consequently, N(C) = N(CO) isimpossible for n - 1, and there is always an integral divisorga in the class C, not divisible by ds. We show now that themapping jl:L(-%l) -* kA is surective. For this we have toshow that the kernel ofjl has dimension over k:dimkL(-5l)- d(.s) = N(C) - n. This kernel is, on the other hand, L(A -gal), whose dimension over k is, by the assumption of thenonspeciality of gao (or C0), dimkL(sl - ga) = N(C - A) =N(CO) = d(ao) - g + 1. The nonspeciality of Oa (or C) im-plies, on the other hand, that N(C) - n = d(Jl$) - n - g + 1= (n + d(Oao)) - n - g + 1 = d(Oao) - g + 1. As a conse-quence, ji is surjective.
Let sd be an arbitrary prime divisor on K of degree n andlet kj be its residue class field, which is an extension of k ofdegree n. Let us denote by #K(k) the number of first-degreeprime divisors on K/k. It follows from Corollary 4.4 thatwhenever there exists a nonspecial divisor ga0 on K of degreem such that m + n . 2g - 1 and #K(k) > 2m + 2n, themultiplicative complexity, lk(k4), of computation of multi-plication in k4 over k does not exceed 2m + 2n - g + 1.As for the optimal choice of these parameters [g, #K(k),
and m] for a fixed finite field k and degree n > 1, we arefaced with the problem of finding algebraic curves over afinite field k = Fq with the maximal number of points (i.e.,prime divisors of the first degree) for a given genus g (as g -3
oo). Interest in this problem was stimulated by Goppa codes,and we refer to refs. 10 and 15 for results and a review ofliterature on this subject. For our purpose Ihara's result (seeref. 15) is sufficient.PROPOSITION 4.5. (See refs. 10 and 15.) For afixed q there
are curves r over Fq of genus g with g(q - 1) + o(g)Fq2-rational points.The same kind of asymptotic-bound limg-) a #r(Fq2)/g(r)
- q - 1 for the number #r(Fq2) of Fq2-points on the curve r ofgenus g(F) holds for a variety of modular curves according toref. 15. This bound is, apparently, the best possible becauselim supr#F(Fq)/g(r) - 1 according to refs. 10 and 15.All curves and appropriate sets of divisors in Proposition 4.5can be effectively constructed in polynomial time (15).We can combine Proposition 4.5 and Corollary 4.4 and
construct low multiplicative complexity algorithms over Fqfor multiplication in finite extensions of Fq. To do this, wehave to ensure the existence of certain divisors from Corol-lary 4.4. First of all, we need the existence of prime divisorsof degree n on the function field K over k = Fq for sufficient-ly large n. Second, we need the existence of nonspecial divi-sors A0 of degree g + o(g) on K/k. To prove the existence ofsuch divisors, we use the properties of the C-function Z(u)from Eqs. 4.1 and 4.2. Let Nprime,, denote the number ofprime divisors on K/k of degree n. It follows from Eq. 4.1that d/du(log Z(u)) = Yn"0=1 un-1 f{-dln Nprimed d%. Compar-
ing this expansion with the representation 4.2 for P2g(U) =
11,g1= (1 - uw,), we obtain2g
qX+ 1 - I Co = I Nprimed-di=l aln
[4.3]
for any n 2 1. The representation 4.3 allows us to obtaingood asymptotic bounds on Nprimen since IwiI = \/qfor all i= 1, .. ., 2g. In applications, q is fixed and n = O(g). Underthese assumptions, Nprimen is asymptotically l/n.{qn +O(qn/2)}. For example, it follows from Eq. 4.3 that
Nprime, > {qn - qnf (4g + q)}/n [4.4]
ifn > 2. In particular, there are prime divisors of degree n onK/k, whenever n 2 c1log g/log q (for an absolute constantcl). Thus if q is fixed, there always exists a prime divisor ofdegree n on K/k for n 2 g + o(g). According to Theorem 4.2,an integral divisor o is special iffN(W - C) > 0 for a classC containing o0- i.e., iff there exists a (nonzero) differentialof the first kind divisible by 9a0. The space over k of all dif-ferentials of the first kind on K/k has dimension N(W) = g.Let us assume that m is an integer 2 g such that Nprimem>2qg. We claim that in this case there exists at least one non-special prime divisor of degree m on K/k. If this is not thecase, then for any prime divisor ao of degree m on K/k thereexists a differential wo such that the divisor (wo) - A0 isintegral. There are at most q9 - 1 nonzero differentials of thefirst kind on K/k. Because Nprimem 2qg, for two distinctprime divisors a0 and 9i of degree m on K/k there corre-sponds a single differential wo such that (wo) - gao and (wj)- 9a are integral. The degree of the divisor of any differen-tial of the first kind is 2g - 2 by the Riemann-Roch theorem.Thus d((wo)) = 2g - 2 and (co) cannot be divisible by gao +% (Jao # a1), because d(& + %,) = 2m 2 2g.We have shown that whenever m 2 g and Nprimem 2 2qg,
there are nonspecial prime divisors of degree m on K/k.From 4.4 it follows that for m = g + o(g) there always existsa nonspecial divisor of degree m on K/k. Combining theseresults with Proposition 4.5 and Corollary 4.4 we arrive atthe following.THEOREM 4.6. Let q be a square . 25. Then the multiplica-
tive complexity ILF,(Fqn) of multiplication in the field Fqnover Fq can be bounded as follows:
PkFq(Fqn) < n-2-(1 + 1/(V'- - 3)) + o(n)
as n -- oo. Moreover, the bilinear algorithms realizing this up-per bound can be constructed effectively in polynomial time.
This work was supported by the National Science Foundation,U.S. Air Force, and program OCREAE.
1. Winograd, S. (1977) Math. Syst. Theory 10, 169-180.2. Fidducia, C. M. & Zalcstein, Y. (1977) J. Assoc. Comput. Mach. 24,
311-331.3. Adler, A. & Strassen, V. (1981) Theor. Comput. Sci. 15, 201-211.4. de Groote, H. F. (1983) SIAM J. Comput. 12, 101-117.5. Schonhage, A. F. & Strassen, V. (1971) Computing 7, 281-292.6. Nussbaumer, N. (1982) Fast Fourier Transform and Convolution Algo-
rithms (Springer, New York).7. Brockett, R. W. & Dobkin, D. (1978) Linear Algebra & Appl. 19, 207-
235.8. Brown, M. R. & Dobkin D. (1980) IEEE Trans. Comput. 29, 337-340.9. McEliece, R. T., Rodenich, E. R., Rumsey, H. & Welch, L. R. (1977)
IEEE Trans. Inf. Theory 23, 157-166.10. Lachaud, G. (1985) Asterisque 133, 189-207.11. Laskowski, S. J. (1982) J. Comput. Syst. Sci. 24, 1-14.12. MacWilliams, F. J. & Sloane, N. J. A. (1977) The Theory ofError-Cor-
recting Codes (North-Holland, Amsterdam).13. Ja' Ja', J. (1980) J. Assoc. Comput. Mach. 27, 822-830.14. Deuring, M. (1973) Lectures on the Theory of Algebraic Functions of
One Variable (Springer, New York).15. Vleduts, S. G. & Manin, Yu. I. (1984) J. Sov. Math. 25, 2611-2643.
Mathematics: Chudnovsky and Chudnovsky
Dow
nloa
ded
by g
uest
on
Sep
tem
ber
26, 2
020